diff --git a/roles/infra/defaults/main.yml b/roles/infra/defaults/main.yml
index e6ba8ef..83f451b 100644
--- a/roles/infra/defaults/main.yml
+++ b/roles/infra/defaults/main.yml
@@ -34,9 +34,10 @@ infra_extra_services: []          # extra services to be added on infra home pag
 #infra_packages: []               # packages to be installed on infra nodes
 
 #-----------------------------------------------------------------
-# NGINX
+# CADDY vs NGINX
 #-----------------------------------------------------------------
-nginx_enabled: true               # enable nginx on this infra node?
+caddy_enabled: true               # use caddy as ingress controller?
+nginx_enabled: false              # enable nginx on this infra node?
 nginx_clean: false                # clean existing nginx config during init?
 nginx_exporter_enabled: true      # enable nginx_exporter on this infra node?
 nginx_exporter_port: 9113         # nginx_exporter listen port, 9113 by default
diff --git a/roles/infra/tasks/caddy.yml b/roles/infra/tasks/caddy.yml
new file mode 100644
index 0000000..de44aeb
--- /dev/null
+++ b/roles/infra/tasks/caddy.yml
@@ -0,0 +1,42 @@
+---
+#--------------------------------------------------------------#
+# 1. Caddy Directory                               [caddy_dir]
+#--------------------------------------------------------------#
+- name: create caddy directory
+  tags: caddy_dir
+  file:
+    path: "{{ item.path }}"
+    state: "{{ item.state | default('directory') }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+    mode:  "{{ item.mode | default('0755') }}"
+  with_items:
+    - { path: "/etc/caddy" }
+    - { path: "/etc/caddy/conf.d" }
+
+#--------------------------------------------------------------#
+# 2. Caddy Config                               [caddy_config]
+#--------------------------------------------------------------#
+- name: create caddy config
+  tags: caddy_config
+  template:
+    src: caddy/Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload caddy
+
+#--------------------------------------------------------------#
+# 3. Caddy Service                              [caddy_launch]
+#--------------------------------------------------------------#
+# If installed via script/binary, we might need a systemd service.
+# If installed via yum/apt, it usually comes with one.
+# Assuming we need to ensure it's enabled and started.
+- name: launch caddy service
+  tags: caddy_launch
+  systemd:
+    name: caddy
+    state: started
+    enabled: yes
+    daemon_reload: yes
diff --git a/roles/infra/tasks/main.yml b/roles/infra/tasks/main.yml
index 39714da..33af6e3 100644
--- a/roles/infra/tasks/main.yml
+++ b/roles/infra/tasks/main.yml
@@ -51,6 +51,14 @@
   when: nginx_enabled|bool
   tags: nginx
 
+#--------------------------------------------------------------#
+# 8. Caddy                                               [caddy]
+#--------------------------------------------------------------#
+# setup caddy as the ingress controller
+- import_tasks: caddy.yml
+  when: caddy_enabled|bool
+  tags: caddy
+
 #--------------------------------------------------------------#
 # 8. Victoria                                         [victoria]
 #--------------------------------------------------------------#
diff --git a/roles/infra/templates/grafana/grafana.ini.j2 b/roles/infra/templates/grafana/grafana.ini.j2
new file mode 100644
index 0000000..e01ca99
--- /dev/null
+++ b/roles/infra/templates/grafana/grafana.ini.j2
@@ -0,0 +1,55 @@
+[paths]
+data = {{ grafana_data_dir | default('/var/lib/grafana') }}
+logs = {{ grafana_log_dir | default('/var/log/grafana') }}
+plugins = {{ grafana_plugin_dir | default('/var/lib/grafana/plugins') }}
+provisioning = {{ grafana_conf_dir | default('/etc/grafana') }}/provisioning
+
+[server]
+protocol = http
+http_addr = 0.0.0.0
+http_port = {{ grafana_port | default(3000) }}
+domain = {{ grafana_domain | default('localhost') }}
+root_url = %(protocol)s://%(domain)s:%(http_port)s/
+serve_from_sub_path = false
+
+[database]
+{% if grafana_pgurl is defined and grafana_pgurl != '' %}
+type = postgres
+host = {{ grafana_pgurl.split('@')[1].split('/')[0] }}
+name = {{ grafana_pgurl.split('/')[-1] }}
+user = {{ grafana_pgurl.split('://')[1].split(':')[0] }}
+password = {{ grafana_pgurl.split(':')[1].split('@')[0] }}
+{% else %}
+type = sqlite3
+path = grafana.db
+{% endif %}
+
+[security]
+admin_user = {{ grafana_admin_username | default('admin') }}
+admin_password = {{ grafana_admin_password | default('pigsty') }}
+disable_gravatar = true
+allow_embedding = true
+cookie_samesite = disabled
+
+[auth.anonymous]
+enabled = true
+org_name = Main Org.
+org_role = Viewer
+
+[auth.basic]
+enabled = false
+
+[users]
+allow_sign_up = false
+auto_assign_org = true
+auto_assign_org_role = Viewer
+
+[dashboards]
+versions_to_keep = 20
+min_refresh_interval = 100ms
+
+[panels]
+disable_sanitize_html = true
+
+[unified_alerting]
+enabled = true